Secure Volatile Media by Overwriting with Random Data
Ensure SECRET and TOP SECRET media are made unreadable by overwriting with random data and verifying it.
Plain language
This control is about making sure that digital storage devices which held SECRET or TOP SECRET information are completely wiped before being disposed of or reused. It matters because if someone gets hold of these devices, they might be able to retrieve sensitive data, putting your privacy and security at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification.
Why it matters
Failing to overwrite SECRET/TOP SECRET volatile media with random data and verify by read-back can leave recoverable remnants, leading to classified data exposure.
Operational notes
Overwrite all volatile media at least once with a random pattern, then perform a full read-back verification and retain logs to prove sanitisation was completed successfully.
Implementation tips
- The IT team should identify all volatile storage media that have been used to store SECRET or TOP SECRET information to ensure proper sanitisation. This can be done by reviewing records of media use and conducting an inventory of devices.
- System owners must develop a clear process for wiping storage media with random data. They should create a step-by-step guide for the IT staff, specifying the use of a trusted software tool that overwrites the entire device with random data.
- IT staff should be trained on how to perform and verify the data wiping process. This should include a demonstration of running the wiping software and the steps for verification by reading the data back to ensure it’s been properly overwritten.
- Managers should establish a policy that mandates the documentation of every media sanitisation, including the date, the method used, and the person responsible. This helps ensure accountability and traceability.
- IT managers should conduct periodic reviews to ensure that the sanitisation process is being followed properly. They can achieve this by randomly sampling devices that have been marked as sanitised and checking the logs for compliance.
Audit / evidence tips
- AskThe documented policy on media sanitisation: Request to see the procedures that outline handling and sanitisation of SECRET and TOP SECRET media GoodIncludes a comprehensive document with dates and names of responsible parties
- AskRecords of training conducted for staff on media sanitisation techniques GoodShows regularly updated training records and evidence that all relevant staff have attended
- AskThem to explain the steps they follow to sanitise media and how they verify it's been done properly GoodIncludes specific software tools used and understanding of the verification process
- AskTo watch a demonstration of the media wiping process GoodObservation shows strict adherence to the documented procedures
- AskTo see the logbook or digital records capturing all sanitised media GoodRecord includes all relevant information and matches inventory records
Cross-framework mappings
How ISM-0352 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 7.10 | ISM-0352 requires SECRET and TOP SECRET volatile media to be sanitised by overwriting the entire medium at least once with a random patte... | |
| Annex A 7.14 | ISM-0352 mandates a specific sanitisation technique for SECRET and TOP SECRET volatile media: full overwrite with random data followed by... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.